Privacy Policy of BIKE24

The protection of your personal data is an important concern for us. When processing this data, BIKE24 will strictly observe the applicable provisions of data protection law in the European Union, and of data protection law in the Federal Republic of Germany.

By means of this Data Privacy Statement, we are informing you of what data we collect on our websites, for what purposes we process this data, and to which recipients we may possibly transfer this data, and of the legal bases for the data processing, the period for which the data will be stored, the controllers responsible for the processing, as well as your rights.

The controller responsible for the data processing within the meaning of Article 13 (1) a) of the General Data Protection Regulation (GDPR) is:

Bike24 GmbH
Breitscheidstr. 40
01237 Dresden
Tel.: 0351/417497-50
Fax.: 0351/417497-79
Email: datenschutz at bike24.net

If you wish to contact our data protection officer, please use the following contact details:

Breitscheidstr. 40
01237 Dresden
Email: [email protected]

Article 4 (1) GDPR defines personal data as any information relating to an identified or identifiable natural person. Personal data includes, for example, name, address, telephone number, email address, bank account details, credit card number.

If you place an order with BIKE24, we shall need personal data for the purposes of processing the purchase, including shipping the goods that you have ordered, handling returns or dealing with complaints. Specifically, we shall need details relating to your name, postal address, email address and, if applicable, essential payment details. It is essential that you provide your email address so that we can send you confirmation of receipt of your order, notify you of the shipment of your goods and/or contact you. Therefore, this data processing will take place for the purpose of performing the contract.

Even before a contract is concluded, you may have already contacted BIKE24 and, for example, sent us an email enquiry requesting our advice. In this case, the data received from you, such as your email address and possibly your name, will be processed by us for the purpose of carrying out precontractual measures.

Article 6 (1) b) GDPR is the legal basis for data processing for the purpose of performing a contract or for carrying out precontractual measures as a result of an enquiry from the data subject.

For handling your order, BIKE24 will pass on personal data to service partners such as payment service providers (including, but not limited to, banks, Paypal, Amazon Pay, credit card companies) and shipping service providers (including, but not limited to, DHL, DPD, Hermes, forwarders), insofar as this is necessary for the performance of your contract. It is also possible that your personal data will be passed on to a supplier delivering the goods directly to you. The recipient must use the transferred data only for the performance of its task. Any use beyond this is not permitted.

Personal data processed for the performance of the contract will be stored by us for the statutory period of limitation.

The data necessary under commercial law or fiscal law will be stored by us for the retention periods prescribed by law under Section 257 HGB [German Commercial Code] and Section 147 AO [Tax Code], generally for a period of 10 years.

Personal data processed for carrying out precontractual measures will be erased within 12 months if no contract is concluded.

BIKE24 uses the service provider parcelLab GmbH, Kapellenweg 6, 81371 Munich, Germany, to inform customers about the shipment of their ordered goods and also to send information about the shipment status. In order to make this possible, BIKE24 transmits order data to parcelLab, including personal data that is necessary for parcelLab to provide the service. This includes, among others, name, title, address, e-mail address, order number. ParcelLab acts for BIKE24 within the scope of contractually agreed processing of data within the meaning of Art. 28 GDPR. ParcelLab is contractually obliged to ensure the protection of your data by suitable technical and organisational measures. The legal basis for this data processing is Art. 6 (1) b) GDPR and Art. 28 GDPR. Additional information can be found in the privacy policy of parcelLab: https://parcellab.com/en/privacy-policy/.

You can subscribe to the BIKE24 newsletter as part of the ordering process or separately via our shop pages. We use the double opt-in procedure to confirm your request. This means that you will receive an e-mail from us with a link via which you, as the owner of the e-mail address, can confirm your subscription to the newsletter. Only after this confirmation the subscription to the newsletter is complete.

We use the data you provide for advertising purposes after you have registered for the newsletter. We store your e-mail address and the language in which you use the webshop.

If you have consented to personalised advertising, we also process tracking data on your user behaviour when visiting our webshop, including data from purchases made or cancelled and when using our newsletter, for the purpose of personalising our newsletter and our advertising emails. In addition, we may associate the e-mail address used with your order history and the data stored about individual orders placed by you (e.g. your address, your shopping baskets or your purchasing behaviour). Furthermore, we store data on your interests, your title, your name and your date of birth, if and insofar as you have provided this optional information as part of the newsletter registration.

Art. 6 (1) a) GDPR is the legal basis for this data processing. The data processing will take place only according to express consent.

The dispatch of the newsletter as well as the storage and administration of the mentioned data are carried out by CleverReach GmbH & Co. KG, Mühlenstr. 43, 26180 Rastede, Germany and Emarsys eMarketing Systems GmbH, Märzstrasse 1, 1150 Vienna, Austria. These providers are undertaking a contractually agreed processing of data within the meaning of Article 28 of the GDPR. CleverReach and Emarsys are contractually obliged to ensure the protection of your data through appropriate technical and organisational measures. Apart from transfering the mentioned data to CleverReach and Emarsys no other data transfer takes place to third parties.

You can revoke your consent at any time with effect for the future. Each newsletter contains an unsubscribe link for this purpose. If you use the unsubscribe link, the unsubscribe of your e-mail adress will be executed immediately. Furthermore, you can revoke your consent at any time by sending an e-mail to [email protected]. The data record belonging to your e- mail address can be stored for up to three years after unsubscribing for reasons of proof and to defend against legal claims. The relevant data record will then be deleted automatically. Art. 6 (1) f) GDPR is the legal basis for this data processing.

You can revoke your consent in whole or in part. In particular, you have the option of revoking only your consent to the personalisation of our newsletter by sending an email to [email protected]. If you limit your revocation to personalisation, we may send you our general newsletter.

In addition, we store the data of the application under the double opt-in procedure. Art. 6 (1) f) GDPR is the legal basis for this data processing. The essential justified interest lies in proving an existing consent.

You have the possibility of creating a BIKE24 customer account. This password-protected, personal access offers you a series of useful features, including, but not limited to, viewing of the orders that you have placed in the preceding 2 years, displaying and downloading of your invoices, management of personal customer data, addition and editing of different delivery addresses, saving of a standard payment method and creation of a personal reminder note and/or wish list.

Article 6 (1) a) GDPR is the legal basis for this data processing. The data processing will take place only according to express consent. The data submitted to the customer account will be stored as long as your consent exists. You may revoke this consent at any time with effect for the future. An informal notification using the contact details stated under Section 1 will suffice for this. If your consent is revoked, your customer account, including the data submitted to it, will be deleted.

BIKE24 uses the service of the provider eTermin GmbH, im Wiesengrund 8, CH-8304 Wallisellen, Switzerland, to enable customers and visitors of the "BIKE24 Service Point Dresden" and the “BIKE24 Service Point Berlin“ to book appointments online. When using this booking tool, we collect and process the following personal data: salutation, name, telephone number, e-mail address and the entered appointment request. The provision of this data is mandatory. The data is necessary for the coordination of the appointment requests. In addition, we process the personal data that you enter in the free text box. Your personal data will be deleted after your appointment request has been processed. Your appointment request is regularly completed with the visit to our store or the cancellation of a booked appointment by yourself.

The legal basis for this data processing is Art. 6 (1) f) GDPR. The essential justified interest lies in providing the possibility of booking an appointment and to be able to coordinate appointment requests for the purpose of improved preparation of customer visits to our shop.

Insofar as the provider eTermin GmbH can access your personal data, eTermin GmbH acts as a data processor in accordance with Art. 28 GDPR. The data processor may only process your data in accordance with our instructions and not for its own purposes. The provider is based in Switzerland. For this country the European Commission determined the existence of adequate protection of personal data in its decision of 26.07.2000. This decision remains valid after the entry into force of the GDPR. You are free to request a copy of this decision from our data protection officer.

In order for us to provide you with the best possible advice in our webshop and to offer you bikes that fit your measurements, you have the option of using the SMARTFiT online sizing tool (click on "Calculate size" in the size settings on each bike product detail page) to enter your height and gender as well as your arm and leg length. SMARTFiT then calculates the bike size that fits you and checks if the desired bike (or a suitable alternative) is available in the required size in our webshop.

To avoid that you have to enter your data again within a short period of time, SMARTFiT stores your data together with a session ID for a short time frame in the local memory of your browser (Local Storage). The data is deleted after four hours of inactivity.

We can evaluate the frequency of use of the tool via SMARTFiT, but no conclusions about natural persons can be drawn from the evaluation.

SMARTFiT is a service of Radlabor GmbH, Heinrich-von-Stephan-Str. 5c, 79100 Freiburg, Germany. Personal data is processed exclusively on servers loacted in Germany. Further information on data processing in connection with the use of the tool can also be found in FAQ of the provider.

The legal basis for the storage in and the reading out of the data from the local storage is section 25 para. 2 no. 2 of the Telecommunications-Telemdia Data Protection Act. The legal basis for the processing of your personal data is our prevailing legitimate interest pursuant to Art. 6 para. 1 lit. f of the GDPR to be able to suggest suitable bikes for you and to enable an optimized shopping experience in our online store. Our legitimate interest prevails any conflicting interests you may have, in particular as the data processing only takes place if you actively use the tool.

You have the option of agreeing to a free-of-charge consultation, during which we will be able to advise you individually on our products. You can take up this consultation either as a video call in the form of an online meeting, or by telephone or email. You can choose how you would like the consultation when booking the appointment (see point 2.6., e-appointment). Prior to the appointment you will receive a confirmation email for the video call with an invitation link or an appointment confirmation in the case of a telephone consultation. Only personal data (e.g. body measurements) that you share with us will be processed as part of the consultation appointment and which is necessary for the consultation.

If you decide on a video consultation, we use Microsoft Teams (“Teams”) for this. This is a software tool from Microsoft Ireland Operations Limited, South County Business Park, Leopardstown, Dublin 18, Ireland (“Microsoft”) which is available as a desktop, web or mobile app. We have no influence over, and are not responsible for, further data processing on the Teams product website, nor where the desktop software is downloaded or where the web app can be used.

When using Teams, personal data is processed which largely depends on which information you provide and how you use Teams:

• Information on the participant, e.g. display name, first name, last name, telephone number, email address, password (encrypted for authentication purposes), profile picture;
• Meeting metadata, e.g. date, time, meeting ID, topic and description of the meeting (optional), IP address, participant’s telephone number where necessary, type of device/software (Windows/Mac/Linux/Web/iOS/Android), time of participant’s last activity on Teams, number of chat and channel messages, number of meetings attended, audio, video and screen-sharing time;
• For telephone meetings: incoming and outgoing numbers, country name, start and end time, where applicable, connection data such as the IP address of the device.

During the online meeting, you have the option to voluntarily enable the camera and/or the microphone on your end device and/or to use the Teams chat function. In this case the following data will be processed in order to display them during the meeting and to communicate with you:

• When using the chat function: text data to display and, where applicable, for logging;
• If the microphone on the end device is enabled: microphone recording data (audio);
• If the camera on the end device is enabled: video camera recording data (video);

However, the online meeting is not recorded and any chat content is also deleted directly after the meeting.

To take part in an online meeting at least information about your name and — if you use a telephone — your telephone number must be provided. You can disable the microphone or camera transmission at any time by using the corresponding settings. Microsoft stores and uses metadata to enable us to analyse and report on the use of Teams.

In the context of order processing, Microsoft may become aware of the above-mentioned data, in order to process it. All data traffic is encrypted (TLS) and the encrypted data is stored on servers located in the European Economic Area (EEA). As far as is possible, we enable end-to-end encryption: In the event that data is nonetheless processed in the USA, Microsoft Ireland Operations Limited and Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA, have concluded the standard EU module 3 contractual clauses and have taken additional measures. For more information, see Microsoft’s data protection policy, available at: https://privacy.microsoft.com/en-us/privacystatement

As we cannot guarantee that there is a level of data protection equivalent to that of the EU, we ask for your express consent to transfer your personal data to the Microsoft Corporation and their subcontractors, when registering for a video consultation, in accordance with Art. 49 para 1 set 1 lit a of the GDPR. Due to the respective national law in third countries, there is the risk that data on the online meeting will be captured and analysed by the respective national authorities and that data subject rights under EU law cannot be fully enforced. If your consent is obtained you will also be informed of this. You consent is, of course, voluntary, but if you do not consent or withdraw your consent, you cannot take part in the video call (however, you can, of course, take part in a consultation by phone, email or on-site, at any time). Your consent can also be withdrawn at any time with future effect, whereby the processing based on the consent remains unaffected by this up to the time of withdrawal.

Apart from this, the legal basis for processing your personal data for booking the appointment and carrying out and following up on the consultation meeting is Art. 6 para 1 lit b of the GDPR, if, and to the extent that, the processing is necessary to fulfil the contract with you or to carry out pre-contractual measures at your request. Otherwise, Art. 6 para 1 lit f of the GDPR applies, based on our legitimate interest in simply and efficiently performing consultation appointments, which outweighs any conflicting interests you may have, particularly because the associated data processing is only carried out at your request.

2.9. Applications 

For the operation of the job portal (powered by talentsconnect) BIKE24 uses the services of talentsconnect AG, Niehler Straße 104, 50733 Cologne ("talentsconnect").

With the help of the job portal, you can find out about our current job offers, apply for them and submit proactive applications. In doing so, talentsconnect processes all personal data under its own responsibility. The scope of processing depends largely on the information you provide in your application.

In particular, the following personal data will be processed:

• your master data (name, address, contact data including e-mail),
• your application data (e.g. title, first name/last name, e-mail address, application documents such as cover letter, resume and references),
• automatically generated connection data and log files and
• data in connection with the search for and noting of job offers.

For the administration of application documents following your application, we use the applicant management system rexx, which is offered by rexx systems GmbH, Süderstr. 75-59, 20097 Hamburg ("rexx").

If you apply for a job at BIKE24 via our job portal (powered by talentsconnect) or if you keep a job at BIKE24 in mind via the "come back later" feature, talentsconnect will transfer your data to BIKE24. In doing so, talentsconnect maintains the data on our behalf and on our instructions as a processor via a programming interface in the applicant management system rexx used by us ("talentsconnect Fast Application"). If you have applied to us, your data will be stored and processed by rexx until your application process is completed. If you have marked a job with “come back later”, your data will be added to our talent pool (contact database) and stored and processed for 1 year by rexx. All servers used by rexx are located in the EU.

For further information on data processing at talentsconnect, in particular on the division of responsibility for individual processing steps, please refer to talentsconnect's privacy policy.

We have concluded order processing agreements with both talentsconnect and rexx in accordance with Article 28 GDPR. Accordingly, both service providers are obligated, among other things, to take appropriate technical and organizational measures to protect your data.

Furthermore, we receive contact information (surname, first name, e-mail, telephone number) via TAG24 News Deutschland GmbH ("TAG24"), provided that you have left your contact information for a job advertised by us on TAG24. We process the data received exclusively in order to contact you regarding the advertised position. To protect your data, we have concluded an order data agreement with TAG24 in accordance with Article 28 GDPR.

We process the personal data collected as part of your application so that we can carry out our application process. Based on the data, we can identify you and contact you in the further course for the purpose of possibly establishing an employment relationship. The legal basis for this is Section 26 (1) of the German Federal Data Protection Act (BDSG) in conjunction with Article 88 GDPR.

We process the personal data collected as part of the "come back later" feature so that we can add you to our talent pool (contact database). Based on the data, we have the possibility to contact you as soon as we have advertised a job suitable for your profile. The legal basis for this is your consent in accordance with article 6 (1) a) GDPR. Your data will be deleted after one year.

"Cookies" are small text files that are stored on your data carrier and contain certain settings and data. We use cookies on our websites to provide you with an optimal user experience, to compile statistics on the use of our websites and to facilitate marketing activities.

When you visit the BIKE24 shop for the first time or if you have deleted your browser data, we ask you with our cookie consent tool whether we may use cookies and, if so, which cookies we may use.

Technically essential cookies are always enabled. These cookies cannot be deactivated. You are free to decide whether you want to allow comfort cookies or marketing and statistics cookies. The use of these cookie types is only permitted with your express consent. We offer you an overview in which you can make your personal selection for each tool. You must actively consent to the use of these cookie types in order to activate these cookies. There is also the possibility to agree to the use of all cookies with one click.

You can access your personal cookie settings at any time via the footer link „cookie settings“. You can make an individual selection at any time and revoke your consent with effect for the future.

Your personal cookie settings are stored with a cookie on your data carrier. If you do not delete the cookies, you will not be asked again on your next visits to our shop.

Technically essential cookies are cookies that are absolutely necessary for the use of the website and for whose use an essential justified interest exists. We use the following technically essential cookies:

Comfort cookies are cookies that make the use of the shop more pleasant and comfortable, e.g. by additional functions in the shop. We only use comfort cookies if you have given your consent. The web shop can also be used without these comfort cookies. However, the user experience can be significantly worse.

3.4.1. Shopping Cart Cookie

The shopping cart cookie ensures that the shopping cart data is saved even after the end of a session. If you close the browser window and, for example, want to continue shopping the next day, the data of the shopping cart is still available.

If you do not allow this cookie to be set, your shopping cart will be empty after closing the browser window. The entire shopping cart data will be lost.

The legal basis for the use of the BasketStore cookie is your consent. The access to and storage of information on your terminal device is based on the consent you have given in accordance with § 25 para. 1 TTDSG. The legal basis for the processing of your personal data is the consent you have given in accordance Art. 6 para. 1 a) of the GDPR.

The consent you have given can be revoked at any time - with effect for the future - via the cookie settings on our website.

3.4.2. RememberMe-Cookie 

The cookie is only set if you have given your consent - which can be revoked at any time for the future - via our cookie settings.

As soon as you activate the function "Stay logged in" via checkbox in the login dialog, a key is stored in your browser for 365 days via cookie, which allows us to log you in again the next time you visit our website, even without an existing session. In this way, you will have direct access to your notepad, your order overview and all other functions in your customer account without any further intermediate steps.

If you have not consented to the use of the RememberMe cookie, the "Stay logged in" function cannot be activated. Accordingly, a new login is required each time you visit our website to use your customer account.

The storage period of the cookie is 365 days from your first login via the respective terminal device and browser. The storage period of the cookie is automatically reset with each login.

Your consent to the use of the cookie and the associated "stay logged in" function can be revoked for the terminal device used at the time of revocation as well as all other terminal devices by logging out on our website either "on the current device" or "from all devices". As soon as you log out, the locally stored cookie is immediately removed and the current session ends. When logging out "from all devices", the cookie is removed from the corresponding end devices at the time of the respective next call to our website.

In addition, you can revoke your consent given via cookie settings at any time with effect for the future, which also leads to the immediate deletion of the cookie on your end device.

The legal basis for the use of the RememberMe cookie is your consent. The access to and storage of information on your terminal device is based on the consent you have given in accordance with § 25 para. 1 TTDSG. The legal basis for the processing of your personal data is the consent you have given in accordance Art. 6 para. 1 a) of the GDPR.

The consent you have given can be revoked at any time - with effect for the future - via the cookie settings on our website.

We use web analysis tools to generate data about the use of our websites in order to improve our shop in a targeted manner and ultimately to achieve a better user experience. We use the web analysis tools Google Analytics and Google Tag Manager from Google Ireland Limited („Google“), Gordon House, Barrow Street, Dublin 4, Ireland. In connection with these tools, we also use tracking tools from trbo GmbH, Römerstr. 6, 80801 Munich, Germany. The aforementioned tools also set cookies, provided you have given your express consent in advance as the legal basis for their use by us.

You can find out more about the processing of your personal data by Google Analytics, Google Tag Manager and Trbo under No. 4 of this privacy policy.

If you select certain payment methods such as Amazon Pay or Paypal, cookies enabling payment using the respective payment method will be placed.

If we integrate elements of "Facelift Cloud" such as competitions or an advent calendar into our website and you call this page with your browser, a cookie is set by "Facelift Cloud" to identify and prevent attacks against the server infrastructure of "Facelift Cloud". You can find more information on "Facelift Cloud" under Section 9.

If you wish to play YouTube videos integrated into BIKE24, cookies will likewise be placed.

In all these cases, cookies are not initially set when the respective page is called up. Cookies are only set as a result of an action by you, e.g. when you select the payment method Paypal active or when you play an embedded YouTube video.

Article 6 (1) f) GDPR is the legal basis for the use of technically essential cookies. The essential justified interest lies in securing the functionality of the BIKE24 shop.

Article 6 (1) a) GDPR is the legal basis for the use of comfort cookies (nr. 3.4.) and marketing and statistics cookies (nr. 3.5.). You have given your explicit consent by unsing our cookie consent tool. More about the cookie consent tool and personal cookie settings can be found under nr. 3.2.

You can revoke your consent to the use of cookies at any time with effect for the future.

You can use the cookie consent tool for this purpose. your personal cookie settings can be accessed at any time via the footer link „cookie settings“. You can save a selection without comfort cookies and marketing and statistics cookies.

You can also delete all existing cookies in your browser settings. The next time you visit the BIKE24 website you will be asked to make a new decision about your personal cookie settings using our cookie consent tool.

BIKE24 uses marketing and analysis tools subject to your express consent. These help us to better understand how you use our website, to provide you with the content that is right for you and to improve our shop overall. Furthermore, these analytical tools help us to better tailor marketing activities to your interests and to measure the success of our marketing activities. Cookies and other technology such as local storage and scripts that store or read information on your end device are used for this purpose. 

Typically, marketing and analysis tools process the following data:

• the IP address of the device;
• the information of a cookie or in the local or session storage;
• the device identifier of mobile devices (e.g. device ID, advertising ID);
• referrer URL (previously visited page);
• pages viewed (date, time, URL, title, length of stay);
• downloaded files;
• clicked links to other websites;
• technical information: operating system; browser type, version and language; device type, brand, model and resolution;
• approximate location (country and city, if applicable).

This consent can be given via our Cookie Consent Tool. In the case of analysis and marketing tools, this consent also includes the transfer of data to third countries with a different level of data protection to the EU, in particular the USA. We would like to point out that, due to US laws and regulations, a level of data protection in the USA similar to the legal situation in Germany or the European Union cannot be guaranteed. The risks here include: the USA offers no enforceable rights or a weaker enforcement of them, and no independent data protection authority to help enforce these rights. Security agencies based in the USA may also be able to access your data. There are no restrictions on the proportionality of access and no guarantees to protect your data. Moreover, there is no effective legal protection against such access to your data.

You can revoke your consent or change your selection at any time by accessing the Cookie Consent Tool again via the ‘Cookie Settings’ link under ‘About BIKE24’ in the website’s footer.

If you have consented to its use, BIKE24 uses Google Analytics 4 (hereinafter “Google Analytics”), a web analytics service provided by Google Ireland Limited (‘Google’), based at Gordon House, Barrow Street, Dublin 4, Ireland for persons from Europe, the Middle East and Africa (EMEA), and by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA for all other persons. Google Analytics uses tracking cookies, local storage, pixels, and scripts that allow us to analyze your use of the website and thus enable us to make targeted improvements to the website and our product offering based on the statistics and reports obtained.

In addition, we also use Google Analytics to send your usage data to Google advertising services such as Google Ads for the purpose of personalized advertising. In doing so, we also create advertising target groups (remarketing), advertising reports and reports on interests and demographic characteristics. We have also enabled Google signals on our site. This links your visit to our site with your Google account in order to improve the creation of target groups and the personalization of the advertisements displayed. Google signals also enables tracking of your visit across devices and pages. Personalized advertising is only delivered if you have allowed this in your Google settings. To do this, go to https://adssettings.google.com/. The data for personalized advertising is stored for up to 26 months. Data on age, gender or interests, for example, is deleted after 2 months of inactivity.

Google Analytics also uses artificial intelligence such as machine learning for automated analysis and enrichment of data. Data evaluations can be automated or based on specific individually defined criteria: https://support.google.com/analytics/answer/9443595. Artificial intelligence helps, for example, to extrapolate the collected data of visitors who have agreed to use Google Analytics to the total number of all visitors. Alongside this, Google Analytics models conversions insofar as insufficient data is available to optimize evaluation and reports: https://support.google.com/analytics/answer/10710245. Predictive metrics on the future behavior of visitors are also created using structured event data, such as predicted sales, purchase probability and churn probability: https://support.google.com/analytics/answer/9846734. The predictive metrics can also be used for forecast target groups.

The information collected about your use of this website is usually transferred to a Google server in the USA and stored there. Google Analytics processes IP addresses only in abbreviated form by default in order to exclude the direct individualization of persons.

The following data is processed by Google Analytics:

• IP address (which is, however, anonymised before further processing);
• device ID, Google ID (Google Signals);
• referrer URL (previously visited page);
• pages viewed (date, time, URL, title, length of stay);
• events and occurrences (such as files downloaded; links clicked to other websites, scrolling behavior, searches, interaction with videos and forms, clicks on buttons and navigation tabs); 
• achievement of specific goals (conversions), if applicable;
• technical information: operating system; browser type, version and language; device type, brand, model and resolution;
• approximate location (country and city, if applicable, based on anonymised IP address).

The cookies’ storage period is a minimum of 1 minutes and a maximum of 2 years.

The following cookies are stored by Google Analytics:

• "_ga" (2 years): recognition and differentiation of visitors by a device ID;
• "_ga_VFSDVSZQ1T" (2 years): retention of the information of the current session;
• "_gid" (1 day): recognition and distinction of visitors by a device -ID;
• "_gat_UA-46166765-1" (1 minute): reduction of requests to Google servers.

The storage period of user logs is a minimum of 2 months and a maximum of 14 months. The retention period is not reset in case of renewed activity.

The following elements in the web storage are stored with the same purpose as the cookie with the same name: "_ga".

Google will use this information on behalf of the operator of this website for the purpose of evaluating your use of the website, compiling reports on website activity and providing other services relating to website activity and internet usage to the website operator.Disabled data sharing to Google products and services, contribution and business information models, technical support, and account manager in the data sharing settings.

Besides revoking your consent, you may also prevent the storage of cookies through the appropriate settings on your browser software; however, please note that if you do this, you may not be able to use the full functionality of this website. Furthermore, you can – in addition to revoking your consent – prevent the collection of the data generated by the cookie and related to your use of the website (including your IP address) by Google as well as the processing of this data by Google by installing and activating the browser plugin available under the following link: Browser add-on to deactivate Google Analytics. 

In order to integrate Google Analytics, we use Google Tag Manager, provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland for persons from the European Economic Area and Switzerland and by Google LLC, 1600 Amphitheatre Parkway Mountain View, CA 94043, USA (‘Google’) for all other persons. This applies the activation of Google Analytics through a script and ensures the proper integration of the tool. Google Tag Manager only temporarily processes the connection data generated by the browser connection. Google Tag Manager does carry out any user analysis itself.

We have concluded an order processing agreement with Google Ireland Limited. In the event that personal data is transferred to the USA, Google Ireland Limited and Google LLC have concluded standard contractual clauses (Module 3). We also obtain your explicit consent for your data to be transmitted to the USA as part of the consent process.

You can also find more information in Google's privacy policy.

If you have consented to their use, we also use tracking tools from trbo GmbH, Römerstr. 6, 80801 Munich, Germany ("Trbo") for marketing purposes.

These help us to understand which pages are particularly attractive to users of our services, which products interest our customers most and which individual offers we should make to our website users in each case. The data collected and used in this context is only ever stored in a pseudonymised form (e.g. a random identification number) and is not combined with other personal data about you (e.g. name, address, etc.). Cookies, local storage, session storage and scripts are used for this purpose.

In particular, the following data is processed:

• which pages are visited when, how often and in which order,
• which products are being searched for,
• which links or offers are clicked on, and
• what orders are placed,
• from where the website is accessed.

The cookies’ storage period is a minimum of 30 minutes and a maximum of 36 months.

We have concluded an order processing agreement with Trbo.

In order to integrate Trbo, we use Google Tag Manager provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland for persons from the European Economic Area and Switzerland and by Google LLC, 1600 Amphitheatre Parkway Mountain View, CA 94043, USA (‘Google’) for all other persons. This applies the activation of Trbo by means of a script and ensures the proper integration of the tool. Google Tag Manager only temporarily processes the connection data generated by the browser connection. Google Tag Manager does carry out any user analysis itself.

We have concluded an order processing agreement with Google Ireland Limited. In the event that personal data is transferred to the USA, Google Ireland Limited and Google LLC have concluded standard contractual clauses (Module 3). We also obtain your explicit consent for your data to be transmitted to the USA as part of the consent process.

If you have consented to their use, we also use tracking tools provided by Emarsys eMarketing Systems GmbH, Märzstrasse 1, 1150 Vienna, Austria (‘Emarsys’) for marketing purposes. With their help, we can better understand which of our shop’s contents or products you were particularly interested in and which of our marketing campaigns appealed to you, based on the observation of your user behaviour on our website as well as your ordering and purchasing decisions.

Specifically, these tools store:

• information about your navigation behaviour,
• which products you have placed in your shopping cart,
• and the details of these products such as type of product,
• colour and clothing sizes if applicable,
• as well as information on the use of individual marketing campaigns.

With the help of this data we can create a customer profile in order to offer you an individual customer experience and to be able to display advertising and content tailored to you on our website. If you have consented to receive personalised newsletters, this data will also be used for the individual design of these personalised newsletters.

The cookies’ storage period is a maximum of 12 months.

We have concluded an order processing agreement with Emarsys. Your data will principally be stored in the European Union. Insofar as Emarsys involves service providers based outside the European Union, there are either adequacy decisions in place or standard contractual clauses concluded for the associated possible third-country transfer. In addition, we also obtain your express consent for any data transfer to the USA as part of the consent process.

We utilise the search engine provided by Algolia SAS, 55 Rue d'Amsterdam, 75008 Paris, France (“Algolia”) on our website in order to provide a search function and filter function via the search box in our web shop as well as for improving the search results which can be obtained.

Algolia captures and processes the following data for this purpose:

• IP address,
• search enquiry via the search function,
• if applicable, the selected filter options,
• clicked on search results,
• automatically transferred connection data.

The search query is sent to Algolia for the search function and subsequently matched with the products which are provided by BIKE24 to return matching search results. For example, the product category or other filters can be set with the filter function and, with the help of it, the search results can then be narrowed down. An anonymised analysis of the search queries and the clicked-on search results is executed in order to improve the search results. Assignment to an IP address or a token does not take place in this case.

The IP address, which is transmitted when utilising the search function and filter function, will be anonymised after a short time and stored for 7 days. Search enquiries and search results without assignment to an IP address or token will be subsequently stored for 90 days.

If personal data is to be processed in this context, then the processing will be executed in accordance with Article 6 (1) f) of the GDPR based on our legitimate interest in providing an error-tolerant search for articles as well as for making it easier to locate our products in the web shop and thereby in ensuring the marketing of our offer in a customer-friendly manner.

Only if you give us your consent regarding this, will we use the information on your use of our search and filter function to understand what you are interested in and to personalise your search results accordingly, to offer you suitable products. In addition to the above-mentioned data, viewed products and filters, as well as other interactions, such as clicks on auto-completing search results, adding products to your shopping basket or going to the checkout to conclude a purchase, are saved and evaluated as a user token. This allows us to find out which product filters are particularly relevant to you and how you interact with our web shop. Algolia also uses so-called A/B testing, to evaluate the success of different design alternatives of the search and filter function, so that we can adapt these accordingly. The personalised user profiles are kept for 90 days. To enable evaluation and personalisation, Algolia uses a cookie with the user token (“_ALGOLIA”), which has a lifespan of twelve months.

The legal basis for saving cookies on the end device and reading data from it, is your consent, which can be withdrawn at any time, under Section 25 para 1 of the TTDSG (Law on data protection and personal privacy with telecommunications and on tele-media) and the legal basis for consent to the associated processing of such personal data, which can be withdrawn at any time, is in accordance with Art. 6 para. 1 sentence 1 a) of the GDPR.

We have concluded an order processing agreement with Algolia. The data will be stored on servers in Germany and the data is generally processed within the European Economic Area. Insofar as Algolia involves service providers which have their registered office located outside the European Union or the EEA, then there will either be adequacy decisions in place or standard contractual clauses that have been concluded for the associated possible third-country transfer. Measures have been implemented in order to limit personal reference to the necessary duration and to anonymise an IP address as quickly as possible. Having said this, as we cannot guarantee that there is a level of data protection equivalent to that of the EU, we ask for your express consent to transfer your personal data to third countries in accordance with Art. 49 para. 1 sentence 1 a) of the GDPR. Due to the respective national law in third countries, there is the risk that data (e.g. IP addresses) will be captured and analysed by the respective national authorities and that data subject rights under EU law cannot be fully enforced. If your consent is obtained you will also be informed of this.

In order to integrate Algolia, we use Google Tag Manager provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland for persons from the European Economic Area and Switzerland and by Google LLC, 1600 Amphitheatre Parkway Mountain View, CA 94043, USA (‘Google’) for all other persons. This applies the activation of Algolia by means of a script and ensures the proper integration of the tool. Google Tag Manager only temporarily processes the connection data generated by the browser connection. Google Tag Manager does carry out any user analysis itself.

We have concluded an order processing agreement with Google Ireland Limited. In the event that personal data is transferred to the USA, Google Ireland Limited and Google LLC have concluded standard contractual clauses (Module 3). We also obtain your explicit consent for your data to be transmitted to the USA as part of the consent process.

Additional information regarding data protection from Algolia can be found at: https://www.algolia.com/policies/privacy

In case of your consent - which can be revoked at any time for the future - we use Meta pixel on our website, an analysis tool offered by Meta Platforms Ireland Ltd, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland.

The Meta pixel stores cookies and uses JavaScript code as well as other technologies to access information on your terminal device. Once you visit our website and consent to the use of Meta pixel, it is triggered. We use Meta pixel to analyze the general use of our website, especially "events", and to track the effectiveness of our advertising ("conversion tracking"). In addition, we use Meta pixel to display targeted advertisements on Meta Platforms' social networks, such as Facebook and Instagram, based on your interest in our products ("Retargeting"). By triggering Meta pixel, Meta Platforms can track and log your actions, such as the purchase of a product, across platforms. The subsequent analysis of the data obtained enables us to optimize our advertising measures and to adapt them to you and your interests in the future.

Specifically, in the context of the use of Meta pixel - regardless of whether you already have an account with Meta Platforms' social networks, such as Facebook or Instagram - the following five types of data are processed: 

• HTTP header: all information stored in the HTTP header. The HTTP header is a standard web protocol that is sent between browser requests and servers on the Internet. HTTP headers contain IP addresses, web browser information, page location, document, referrer, and website visitor information.
• Pixel-specific data: This includes the pixel ID and the Facebook cookie.
• Button click data: This includes all the buttons that were clicked by you when you visited the website, the label of those buttons, and all the pages that were viewed as a result of the button clicks.
• Optional values: developers and marketers can optionally send additional information about the visit via personalized data events. Examples of personalized data events include conversion value, page type, and more.

To perform usage analytics, retargeting, conversion tracking, and serve personalized ads, we set the following cookies:

• "fbp" (3 months)
• "fr" (3 months).

The cookies’ storage period is a maximum of 3 months. Once the lifetime of a cookie has expired, your browser will automatically delete it. Your data shared until then will be stored by both us and Meta Platforms for 3 months.

On behalf of the operator of this website, Meta Platforms uses the data obtained to measure the effectiveness of the advertising we place on Meta Platforms social networks. For matching, measurement, and analysis functions of Meta pixel, in particular for analyzing the use of our website, matching the user ID and generating reports on our advertising campaigns, we have concluded a data processing agreement with Meta Platforms. In this context, Facebook only provides us with aggregated data that does not allow any direct conclusions to be drawn about individual persons. In the event that Meta Platforms transfers and processes personal data not only in Dublin but also in countries outside the European Economic Area, in particular in the USA, Meta Platforms Ireland Limited and Meta Platforms Inc. have concluded EU standard contractual clauses (Implementing Decision (EU) 2021/914, Module 3) in accordance with Art. 46 para. 2 c) of the GDPR.

In addition, in connection with the use of the Meta pixel, we are so-called joint controllers with Meta Platforms for the processing of event data, for the targeting of advertisements (through the creation and selection of target groups), the delivery of commercial and transactional messages, the improvement of ad delivery, and the personalization of features and content. To govern this relationship, we have entered into a joint responsibility agreement with Meta Platforms.

Meta Platforms also uses the collected Event Data for its own purposes, in particular to protect and secure Meta Platforms' products, for research and development purposes, and to maintain the integrity of and improve its products.

For more information, please see Facebook's Data Security Terms and Conditions and Data Policy. 

The legal basis for the use of the Meta pixel is your consent. We also obtain your express consent for the transfer of data to the USA as part of the consent process. Access to and storage of information on your terminal device is based on the consent you have given in accordance with § 25 para. 1 TTDSG.  The legal basis for the processing of your personal data, including the transfer of data to the USA, is the consent you have given in accordance with Art. 6 para. 1 a) and Art. 49 para. 1 a) of the GDPR.

You can revoke your once granted consent to the use of the Meta pixel and the associated subsequent processing and transmission of your data at any time, with effect for the future, via our cookie settings. 

In addition, if you have an account with Facebook or Instagram you have the option of deactivating the personalized advertising in the context of the use of Meta pixel. To do so, you must visit the page set up by Facebook and follow the instructions regarding the settings for usage-based advertising. You can also disable the linking of data collected outside of Instagram to serve personalized ads on Instagram, as described by a page set up by Instagram for this purpose. The settings you make in this way are device-independent.

4.6. Microsoft Advertising

In case of your consent - which can be revoked at any time for the future - we use Microsoft Advertising on our website, an online advertising program offered by Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland.

To use Microsoft Advertising, we have implemented a conversion tracking tag (JavaScript) in our website. This is the so-called Universal Event Tracking (UET). With the help of this tracking tool, we can display targeted advertisements via the Microsoft Bing search and find out whether you have reached our website via such an advertisement. It also enables us to analyze your interactions with our website in order to create a usage profile. The data obtained enables us to optimize our marketing measures and to adapt them to you and your interests in the future. In order to recognize you, analyze your usage and show personalized advertising, we also store the following cookies and local storage on your terminal device:

Cookies:

• "_uetsid" (24 hours)
• "_uetvid" (13 months)
• "MUID" (13 months).

Local Storage:

• "_uetsid" (expires after the stored expiration time in "_uetsid_exp")
• "_uetvid" (expires after the stored expiration time in "_uetvid_exp").

All of the collected data relates to the identification of your web browser as well as your user behavior. In order to avoid a direct identification of your person, the data is pseudonymized by Microsoft Advertising.

The cookies’ storage period is a minimum of one day and a maximum of 13 months. Once the lifetime of a cookie has expired, your browser will automatically delete it. Your data shared until then will be stored by both us and Microsoft up to 13 months.

Microsoft also uses the data it collects from you for its own purposes, including to improve its services and for reporting and performance analysis purposes.

Microsoft generally stores and processes data on servers located in the European Union. However, there is a possibility that personal data may be transferred to countries outside the European Economic Area, in particular to the United States, for subsequent processing. We also obtain your express consent for the transfer of data to the USA as part of the consent process. 

Further information on the collection, use and transfer of personal data can be found in Microsoft's privacy policy. 

The legal basis for the use of Microsoft Advertising is your consent. Access to and storage of information on your terminal device, such as cookies, is based on the consent you have given in accordance with § 25 para. 1 TTDSG. The legal basis for the processing of your personal data, including the transfer of data to the USA, is the consent you have given in accordance with Art. 6 para. 1 a) and Art. 49 para. 1 a) of the GDPR.

You can revoke your once granted consent to the use of Microsoft Advertising as well as the associated subsequent processing and transmission of your data at any time, with effect for the future, via our cookie settings. In addition, you have the option to deactivate personalized advertising from Microsoft directly via Microsoft as well as to manage your data protection settings via Microsoft.

4.7. Google Ads

In case of your consent - which can be revoked at any time for the future - we use Google Ads on our website, an online advertising program offered for persons from Europe, the Middle East and Africa (EMEA) by Google Ireland Limited with its registered office at Gordon House, Barrow Street, Dublin 4, Ireland, and for all other persons by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA.

With the help of Google Ads, we can create online ads and present our products to you in a targeted manner at the time you search for them. In doing so, you will be shown personalized advertising messages for our products on partner websites of Google. Google Ads records and analyzes customer actions defined by us, such as clicking on an ad, page views or downloads, as well as information about how you got to our website and which other websites you visit.

As soon as you visit our website, Google Ads sets a cookie for conversion tracking on your end device. In addition, JavaScript, tracking pixels and other technologies are used to read information from your terminal device. These read and transmit, for example, your IP address and your interactions with our website. 

The data from Google Ads is recorded by Google Analytics. In order to compile statistics and optimize our marketing campaigns, we receive from Google in particular the number of users who have clicked on our online ads, your Customer ID created by Google and in which language you have used our website. It is not possible for us to directly identify you based on the information we receive from Google. 

The following cookies are set to store ad clicks and for conversion tracking:

• "_gcl_au" (90 days)
• "_gcl_aw" (90 days)
• IDE (13 months).

In addition, Google uses the data obtained from you for its own purposes, such as to improve and further develop its own products and services, for aggregated statistical analysis of conversions, and to improve the quality and accuracy of conversions. 

In the event that personal data is transferred to third countries outside the European Economic Area, in particular the USA, we will also obtain your express consent for the transfer of data to the USA as part of the consent process.

The cookies’ storage period is a minimum of 90 days and a maximum of 13 months. Once the lifetime of a cookie has expired, your browser will automatically delete it. Your data shared until then will be stored by both us and Google for up to one year.

For more information on data protection, please refer to the privacy guide and Google's privacy policy.

The legal basis for the use of Google Ads is your consent. Access to and storage of information on your terminal device is based on the consent you have given in accordance with § 25 para. 1 TTDSG. The legal basis for the processing of your personal data, including the transfer of data to the USA, is the consent you have given in accordance with Art. 6 para. 1 a) and Art. 49 para. 1 a) of the GDPR.

You can revoke your once granted consent to the use of Google Ads as well as the associated subsequent processing and transmission of your data at any time, with effect for the future, via our cookie settings. In addition, you can disable personalized advertising from Google by installing a plug-in or by making a setting in your account. The settings are stored in your Google account (only if you are logged in) or in the browser (even if you are not logged in).

4.8. Microsoft Clarity

In case of your consent - which can be revoked at any time for the future - we use Microsoft Clarity on our website, an analysis tool offered by Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland.

This analysis tool helps us to understand your interactions with our website and to improve our web shop in a targeted way using the statistics obtained. Artificial intelligence such as machine learning is also used for automated analysis. Microsoft Clarity allows us to create heatmaps and session recordings, among other things.

The following cookies are set by Microsoft Clarity on your terminal device:

• “_clck”
• “_clsk”
• “CLID”
• "MR”
• “MUID"
• "SM"

The following data fields are processed by Microsoft Clarity:

• Metadata information about the payload and page (e.g., UserId, SessionId, Start Time, Duration)
• Events (interaction events such as scroll behavior; diagnostic event such as script and image errors; page events such as document sizes; custom events set based on some event)
• Playback data, that contains information about the Document Object Model (DOM) and mutation events and are used for session playback (e.g., positional information and layout details)

The cookies’ storage period as well as the data’s storage period is a minimum of 30 days and a maximum of 13 months. Once the lifetime of a cookie has expired, your browser will automatically delete it. 

All of the collected data relates to the identification of your web browser as well as your user behavior. In order to avoid a direct identification of your person, the data is pseudonymized by Microsoft Clarity. Microsoft also uses the data it collects from you for its own purposes, including to improve its services and for reporting and performance analysis purposes.

Microsoft generally stores and processes data on servers located in the European Union. However, there is a possibility that personal data may be transferred to countries outside the European Economic Area, in particular to the United States, for subsequent processing. We also obtain your express consent for the transfer of data to the USA as part of the consent process. In addition, Microsoft has been certified under the EU-US Data Privacy Framework, so that an adequate level of protection exists in accordance with Art. 45 GDPR.

Further information on the collection, use and transfer of personal data can be found in Microsoft's privacy policy. 

The legal basis for the use of Microsoft Clarity is your consent. Access to and storage of information on your terminal device, such as cookies, is based on the consent you have given in accordance with § 25 para. 1 TTDSG. The legal basis for the processing of your personal data, including the transfer of data to the USA, is the consent you have given in accordance with Art. 6 para. 1 a) and Art. 49 para. 1 a) of the GDPR.

You can revoke your once granted consent to the use of Microsoft Clarity as well as the associated subsequent processing and transmission of your data at any time, with effect for the future, via our cookie settings. In addition, you have the option to manage your data protection settings via Microsoft.

In order to integrate Microsoft Clarity, we use Google Tag Manager provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland for persons from the European Economic Area and Switzerland and by Google LLC, 1600 Amphitheatre Parkway Mountain View, CA 94043, USA (‘Google’) for all other persons. This applies the activation of Microsoft Clarity by means of a script and ensures the proper integration of the tool. Google Tag Manager only temporarily processes the connection data generated by the browser connection. Google Tag Manager does carry out any user analysis itself.

We have concluded an order processing agreement with Google Ireland Limited. In the event that personal data is transferred to the USA, Google Ireland Limited and Google LLC have concluded standard contractual clauses (Module 3). We also obtain your explicit consent for your data to be transmitted to the USA as part of the consent process. In addition, Google LLC has been certified under the EU-US Data Privacy Framework, so that an adequate level of protection exists in accordance with Art. 45 GDPR.

4.9. Dynamic Yield

In case of your consent - which can be revoked at any time for the future - we use Dynamic Yield on our website, a tracking and analysis tool offered by Mastercard Europe SA mit Sitz in Chau de Tervuren 198, 1410, Waterloo, Belgium.

With the help of Dynamic Yield, we can display different versions of our website, for example different positions of elements, different colors, graphics or buttons, and analyse their effects and differences with regard to your user behavior (so-called A/B tests). The statistics and reports obtained in this way give us the opportunity to improve our offer and our website in a targeted manner and to make it more appealing for you.

For this purpose, Dynamic Yield processes the following data:

• IP address
• Geographic information (city, state, country)
• Online identifiers (i.e., online data collected from end-user’s devices, applications and protocols)
• Audience membership (based on real time user segmentation and backend historical calculations)
• Device and browser attributes
• As applicable email address
• As applicable search query terms
• Page views and interactions
• As applicable: Customer events (e.g., “add to cart”)
• As applicable: Third-party data provided by the user
• Purchase history
• As applicable: CRM data (e.g., gender, average order value, days since last order)

In order to avoid a direct identification of your person, the data is pseudonymized by Dynamic Yield.

To enable Dynamic Yield to analyse your user behaviour, cookies and other technologies such as local storage are used. Artificial intelligence is also used in this analysis.

The following cookies are set on your terminal device:

• Personal identifiers for tracking (DYID, _dyid, _dyid_server , _cfduid, DYSES, _dy_lu_ses)
• Cookies for experimentation (_dy_ses_load_seq, _dy_soct, _dy_csc, _dyexps, _dy_att_exps, _dy_c_exps, _dy_c_att_exps)
• Cookies for tracking the specific browser behavior (_dy_csc_ses,_dy_toffset, _dyrc, _dyfs, dy_fs_page, _dybatch, _dycmc, _dyjsession, _dy_cs_storage_items)
• Cookies assisting in user segmentation (_dy_df_geo, _dy_geo, _dyaud_sess, _dyuss_<section_id>, _dy_weather_<section_id>, _dy_tsrc, _dyaud_nchc, dyaud_page, _dycnst, _dy_device, _dycst)

The cookies’ storage period is a minimum of one browser session and a maximum of 12 months. Once the lifetime of a cookie has expired, your browser will automatically delete it.

Dynamic Yield also uses the data it collects from you for its own purposes, including to improve its services and for fraud prevention. Further information on the collection, use and transfer of personal data can be found in Dynamic Yield's privacy notice.

The legal basis for the use of Dynamic Yields is your consent. Access to and storage of information on your terminal device, such as cookies, is based on the consent you have given in accordance with § 25 para. 1 TTDSG. The legal basis for the processing of your personal data is the consent you have given in accordance with Art. 6 para. 1 a) GDPR.

We have concluded a data processing agreement with Dynamic Yield in accordance with Article 28 GDPR. Accordingly, Dynamic Yield is obligated, among other things, to take appropriate technical and organizational measures to protect your data. Dynamic Yield also undertakes to principally store and process personal data on servers within the European Economic Area. If data is nevertheless transferred to countries outside the European Economic Area, then only to third countries in which an adequate level of protection exists in accordance with Art. 45, 46 of the GDPR.

When you visit the BIKE24 website, your Internet browser will send usage data to our servers. Usage data is logged in so-called log files by our servers. In this respect, the following will be stored: the data and time, the type of request, the log type and access status, the size and name of the file, the IP address from which the request originated, the referrer URL (information on the website from which you have arrived at our website), information on the Internet browser used (e.g. which browser is used, the version number of this browser and the type of encryption).

We use log files to monitor the functionality and performance of our shop and to further develop and improve the BIKE24  shop. As a result, any malfunctioning of the shop, for example, will be recorded and subsequently remedied by us. Furthermore, the storage of data in log files takes place for security reasons to ensure secure operation of our system.

Article 6 (1), f) GDPR is the legal basis for this data processing. The essential justified interest lies in securing the functionality of the shop and ensuring secure operation of our shop servers. The users' IP addresses will be deleted or anonymised after a maximum of 10 days.

BIKE24 uses the service provider CDN77, DataCamp Ltd, London, which will, on our behalf, deliver certain content from the BIKE24 shop website to you or your browser. This content includes, but is not limited to, product images. On the one hand, this service provider enables, by means of its infrastructure, speedy delivery of this data to you. In parallel, the service provider will deliver the data from a server situated as physically close to you as possible. Both these services will minimise loading times and improve the user experience for you.

The CDN service provider will necessarily receive your IP address.

Generally, no log data will be recorded. Only in the case of faults log data will be recorded by the CDN service provider for fault analysis. In this respect, the IP address will be stored only in anonymised form; the log file will be deleted after a maximum of 10 days.

Article 6 (1), f) GDPR is the legal basis for this data processing.

We utilise Cloudflare, an application from the provider Cloudflare Inc., 101 Townsend St., San Francisco, CA 94107 USA, on this website in order to make our website faster and more secure. Cloudflare provides a worldwide, divided content delivery network with DNS. Cloudflare hereby creates copies of our website and places them on their own servers. This therefore always ensures that, when you access our website, then it is delivered by the server which can show you our website the quickest. Cloudflare simultaneously blocks threats and limits abusive bots and crawlers which can waste our bandwidth and server resources or which will try to attack our systems in other ways or methods.

All the required data transfer between your browser and our websites flows through Cloudflare's infrastructure in order to be able to provide this service. Cloudflare thereby delivers content from our website and analyses the data traffic in order to prevent attacks.

Cloudflare receives information relating to the IP addresses and DNS log data for this purpose. The IP addresses therefore merely create pseudonymised data which could, when at all only theoretically and not without considerable, time effort and cost, be assigned to a natural person. For security reasons Cloudflare additionally utilises a Cookie. This cookie is absolutely required for the Cloudflare security functions and cannot be deactivated.

The data which is collected when you access our website is stored and processed exclusively in the European Union (“Data Localisation Suite”). This also comprises the data log files which have been developed from this and, in particular, data processing in order to speed up the secure call-up of the page, to detect threats such as bots and DDoS attacks as well as ensuring the stability of the connection set up. We have therefore concluded an agreement with Cloudflare for the usage of regional, European infrastructure and services. This especially comprises the “Customer Metadata Boundary” option. This function always ensures that all traffic metadata, which can also include the IP address, is also processed exclusively on servers in the European Union (in particular in Luxembourg).

Additional information relating to these security measures can also be found at: https://support.cloudflare.com/hc/en-us/articles/360061946171-Data-Localisation-Suite.

Warranting the security and accessibility of our website constitutes a legitimate interest on our part pursuant to Article 6 (1) f) GDPR. We have concluded a corresponding order processing agreement with Cloudflare, with regard to transmitting the data, in accordance with Article 28 GDPR.

Cloudflare usually stores your data for up to seven days. However, when your IP address should trigger a security alert at Cloudflare, then there can be exceptions to the storage period which has been detailed above.

In principle, Cloudflare stores and processes personal data on servers which are located in the European Union. However, as Cloudflare Inc. is deemed to be a US provider, we have also concluded EU standard contractual clauses with Cloudflare (Commission Implementing Decision (EU) 2021/914, Module 2) regarding the transfer of personal data to the USA, which cannot be completely excluded in every case. Thereafter, Cloudflare hereby undertakes in particular to challenge and inform about any request from US security authorities, unless this is not prohibited by law. There are also extensive, and comprehensive, additional safeguards in place in order to limit data processing to the European Union, as listed above. A decree by the European Commission on the adequacy of the level of data protection which is in place in the USA is currently not available. You are entitled to request a copy of the EU standard contractual clauses from us.

We utilise the services offered by Zenloop GmbH, Erich-Weinert-Str. 145, 10409 Berlin (“Zenloop”) in order provide a feedback widget. Utilising Zenloop enables the possibility for collecting and evaluating voluntary feedback from users and customers within the framework of surveys with the widget. We evaluate your feedback in order to improve our site and to be able to respond to the wishes of our users and customers. Cookies are also utilised to ensure the functionality of Zenloop. These are utilised to decide whether the widget is displayed. Furthermore, the secure integration of the widget is always guaranteed. Spam attacks or bot attacks will be prevented, as well as a simple, anonymous count of call ups on the page.

Zenloop processes the following data:

• IP address;,
• Email addresses, if they are entered;
• Information from Cookies;
• Technical information relating to the browser, the operating system and the end device;
• Usage information, such as e.g. the number of views;
• Answers submitted in the feedback widget.

The legal basis for processing your data is your consent in accordance with Article 6 (1) lit. a of the GDPR.

An encrypted connection to Zenloop and its sub-processors will be established for the integration of the widget. Zenloop stores and processes the encrypted data exclusively in the European Union. Where order processors are involved which themselves, or their parent company, are based in the USA, then standard contractual clauses (Commission Implementing Decision (EU) 2021/914, Module 3) have been concluded between Zenloop and the sub-processors or between the US parent company and any EU subsidiaries which may also be involved.

In order to integrate Zenloop, we use Google Tag Manager provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland for persons from the European Economic Area and Switzerland and by Google LLC, 1600 Amphitheatre Parkway Mountain View, CA 94043, USA (‘Google’) for all other persons. This applies the activation of Zenloop by means of a script and ensures the proper integration of the tool. Google Tag Manager only temporarily processes the connection data generated by the browser connection. Google Tag Manager does carry out any user analysis itself.

We have concluded an order processing agreement with Google Ireland Limited. In the event that personal data is transferred to the USA, Google Ireland Limited and Google LLC have concluded standard contractual clauses (Module 3). We also obtain your explicit consent for your data to be transmitted to the USA as part of the consent process.

On the BIKE24 website you will find links to social media platforms from Facebook, Youtube, Instagram and Twitter where BIKE24 is represented and offers content. These are static links. BIKE24 does not use social media plugins.

BIKE24 is represented in social media in order to get in touch with our customers, interested parties and other users and to inform them about products, events or competitions. We would like to point out that personal data is collected and processed by the respective provider when you visit the corresponding pages. The legal basis for the processing of users' personal data is Art. 6 (1), f) GDPR. The essential justified interest of BIKE24 lies in the optimal design and improvement of the company presentation. 

If you use our offers in the respective social network as a logged-in member, your consent to data processing pursuant to Art. 6 (1), a) GDPR is given to the social media platform. In order to understand and improve our activities, we use corresponding evaluations in the form of statistics provided by the respective provider.

BIKE24 uses the technical platform of Facebook Ireland Ltd, 4 Grand Canal Square Grand Canal Harbour, Dublin 2, Ireland for the aforementioned information service.

Please note that you are responsible for using this Facebook page and its functions. This applies in particular to the use of interactive functions (e.g. commenting, sharing, rating).

When you visit our Facebook page, Facebook collects your IP address, among other data. This and other information is used to provide us, as the operator of the Facebook pages, with statistical data about the use of our Facebook page. Facebook provides further information on this under the following link:

https://www.facebook.com/help/pages/insights

The data collected about you will be stored and processed by Facebook Ltd. outside the European Union if necessary. We cannot provide any information about whether and how Facebook uses visitor data from our Facebook page for its own purposes. Nor do we have any information as to whether your data is passed on to third parties, combined with data from other Facebook offers, how long Facebook stores data and whether page visits are assigned to individual users. You can read about what information Facebook actually receives and how Facebook uses it in Facebook's data usage guidelines. In the data usage guidelines you will also find further contact options for Facebook as well as setting options for advertisements. The Data Usage Guidelines can be found here:

http://www.facebook.com/about/privacy

The complete Facebook data guidelines can be found here:

https://www.facebook.com/full_data_use_policy

BIKE24 itself does not collect and process any further data from your direct use of Facebook. Data processing is only possible for sweepstakes or competitions. In these cases, we use contact data, for example, to contact winners of our raffles. BIKE24 uses the software Facebook Insights for a general evaluation of the Facebook page. Here we are provided with anonymous data from Facebook that does not allow any conclusions to be drawn about individual users. As already mentioned, we use this statistical data from Facebook Insights to design and improve our Facebook offering accordingly.

According to Facebook, Facebook stores your IP address when you visit our Facebook page. According to Facebook, this is anonymized and deleted after a storage period of 90 days (German IP addresses). In addition, Facebook stores information about the end devices that you use for the visit. By assigning IP addresses, individual users may be identified.

Facebook stores cookies with your Facebook ID on your device when you are logged in to Facebook. This cookie enables Facebook to track your page views within Facebook. This applies to the Facebook page of BIKE24 and also to Facebook pages of other providers. If you use a Facebook button embedded in a website, Facebook may associate that use with your profile. This makes it possible for Facebook to offer you advertising that results from your user behavior.

You can avoid this by logging out of Facebook before visiting the BIKE24 Facebook page and disabling the "Stay signed in" feature. In addition, you must delete all cookies from your device and restart your browser. You can then use our Facebook page without having your Facebook ID processed.

If you want to use functions on Facebook to interact with us (like, comment, share, news, etc.) you will be shown a login screen. This form of interaction is only possible for registered Facebook members. However, as soon as you are logged in again, you will be recognizable as a user for Facebook again. Further information on the Facebook data policy can be found under the following link:

https://www.facebook.com/about/privacy

9.2. Twitter

BIKE24 uses the technical platform and services of Twitter Inc., 795 Folsom St., Suite 600, San Francisco, CA 94107, USA for the short message service offered here.

Please note that you are responsible for using Twitter and its functions. This applies in particular to the use of interactive functions (e.g. commenting, sharing, rating).

If you use Twitter, your data will be stored and processed outside the European Union. The data that may be transmitted includes your IP address, the application you are using, and information about the device you are using. It may also include information about your location and the websites you visit.

Twitter links this collected data to your Twitter account and may be able to create a behavioural profile. BIKE24 cannot influence the nature and extent of the data collected by Twitter. We also have no control over whether Twitter passes on your data to third parties or for what purposes Twitter uses the stored data.

Under the following link you will find information about which data Twitter collects and processes according to its own statement:

https://twitter.com/en/privacy

If you have a Twitter account and would like to view information about the data you have stored on Twitter, you can do so at the following link:

https://support.twitter.com/articles/20172711#

You can also use the Twitter data protection form to send your questions about data protection directly to Twitter. You can also download your Twitter archive:

https://support.twitter.com/forms/privacy

https://support.twitter.com/articles/20170320#

BIKE24 itself does not collect and process any other personal data from your direct use of Twitter. We use Twitter Analytics for a statistical evaluation of our activities on Twitter. This function enables us to optimally design our presence on Twitter and does not allow any conclusions to be drawn about the data of individual users.

In the settings of your Twitter account you have the option to restrict the processing of your data by Twitter ("Privacy and Security"). Here you also have the option of restricting Twitter access to your contact and calendar data, photos and location data on your end device. You can find information about this on Twitter under the following links:

https://support.twitter.com/articles/105576#

https://twitter.com/en/privacy

9.3. Instagram

BIKE24 nutzt für den genannten Dienst die technische Plattform von Instagram (Facebook Ireland Ltd., 4 Grand Canal Square, Dublin 2, Ireland bzw. Instagram Inc., 1601 Willow Road, Menlo Park, CA, 94025, USA). Instagram speichert personenbezogene Daten von Ihnen, wenn Sie diese Seite besuchen.

BIKE24 as the responsible person has reached an agreement with Facebook, which also regulates the conditions for using the Instagram page. The basic terms are the Instagram Terms of Use at https://help.instagram.com/581066165581870 and the other terms and guidelines listed at the end.

By processing information, Facebook is able to distribute advertising for its users via its own network. The data processing by Facebook also enables BIKE24 to use statistics provided by Facebook. In this way, BIKE24 can optimally design its own content and better reach its users. Parts of these statistics contain demographic and geographical information. However, BIKE24 has no influence on the underlying data. These data are not known to us in their entirety.

It is likely that the data collected about you by Facebook Ltd. will be stored and processed outside the European Union.

As a user of Instagram, you can influence the storage of data and the recording of user behavior through Instagram in your profile settings by making the appropriate settings.

Instagram users can use the Advertising Preference settings to control the extent to which their user behavior is captured when they visit our Instagram page. 

For more information, see the Facebook and Instagram settings:

https://www.facebook.com/login.php?next

https://www.facebook.com/ads/preferences/?entry_product=ad_settings_screen

https://www.instagram.com/accounts/login/?next=/accounts/privacy_and_security/

or the form to the right of objection under:

https://www.facebook.com/help/contact/1994830130782319

If you want to avoid cookies being placed by Facebook and prevent the associated processing of your data, set your browser so that no third-party cookies or Facebook cookies are allowed.

For more information about how Facebook handles personal information on Instagram, please see its privacy policy at https://help.instagram.com/519522125107875 and http://instagram.com/about/legal/privacy/, respectively.

9.4. Youtube

On the BIKE24 website, videos of selected articles and brand shops of the corresponding brands are displayed, for example. The videos are made available on the video portal of YouTube LLC, 901 Cherry Ave, 94066 San Bruno, CA, USA, (YouTube) by the brands. In addition, BIKE24 maintains its own YouTube channel.

YouTube is a subsidiary of Google LLC, Gordon House, Barrow Street, Dublin 4, Ireland, hereinafter referred to as "Google".

Videos are used by BIKE24 exclusively within the "Extended Privacy Mode". According to YouTube, this function only transmits user data to YouTube when a video is actually started. 

If you start a video as a logged in YouTube member, the call of the video will be associated with your YouTube account. You can prevent this information from being linked if you log out of your YouTube customer account before visiting our website. Alternatively, you can make the necessary settings in your YouTube account.

Youtube stores permanent cookies on your end device in order to guarantee functionality and to analyse user behaviour. You can prevent the storage of cookies on your terminal device by making the appropriate settings in your browser.

Under the following link you will find further information on data collection by Google and on your rights against Google:

https://policies.google.com/privacy data protection information.

9.5. Further information

If you wish to assert your rights of data subjects against the social media platforms mentioned above, it is ideal to contact the respective platform directly with your request for information. Even if a joint responsibility arises from the cooperation between BIKE24 and the individual platforms, the platforms alone have the opportunity to provide you with full information about the data stored by you there. However, should our support be necessary, you can contact us at any time.

If you have any questions regarding data protection, please contact our data protection officer at datenschutz at bike24.net.

If you have any questions about a current order or need advice on a product, please contact our competent service team exclusively. Information for contacting us can be found here:

https://www.bike24.com/contact/customer-service

For data protection reasons, we do not make our customer service available via "social media platforms".

Below, we would like to summarise for you your rights under the General Data Protection Regulation.

You have the right time to revoke your consent at any time. Revocation of your consent will not affect the lawfulness of the processing carried out on the basis of your consent up to the time of revocation. Before you give your consent, you will be informed hereof.

Under Article 15 GDPR, you have the right to demand from us confirmation of whether we process personal data concerning you. If this is the case, you have the right to access this personal data and the following information:

• the purposes for which we process this data;
• the categories of personal data processed by us;
• to whom this personal data has been disclosed, or is yet to be disclosed, particularly in the case of disclosure to recipients in third countries or at international organisations;
• if possible, the envisaged period of storage of the personal data, or, if this is not possible, the criteria used to determine this period;
• the existence of a right to rectification or erasure of the personal data concerning you, or a right to restriction of processing by us, or a right to object to processing by us;
• the existence of a right to lodge a complaint with a supervisory authority;
• in cases where the personal data is not collected from you, all available information concerning the origin of the data;
• whether automated decision-making, including profiling, as referred to in Article 22 (1) and (4) GDPR, takes place, and, if so, meaningful information about the logic involved, as well as the significance and envisaged consequences of such processing for you.
• If personal data is transferred to a third country or to an international organisation, you will have the right to be informed of what suitable safeguards have been put in place to ensure that these recipients also comply with the provisions of the GDPR.

You may demand that we rectify, without delay, inaccurate data concerning you. With due regard being given to the purposes of the processing, you will, additionally, have the right to demand that incomplete personal data be completed, also by means of a supplementary statement.

You have the right that we erase data without delay if one of the following grounds applies:

• The data is no longer needed for the purposes for which it was collected or otherwise processed.
• You revoke your consent on which the processing was based, and there is no other legal basis for the processing.
• In accordance with Article 21 (1) GDPR, you lodge an objection to the processing for reasons ensuing from your particular situation, and there are no overriding legitimate reasons for the processing.
• In accordance with Article 21 (2) GDPR, you lodge an objection to processing for direct marketing purposes.
• The data has been unlawfully processed.
• It is necessary to erase the data in order to fulfil a legal obligation under European or German law.
• The data has been collected in relation to an offer of information society services in accordance with Article 8 (1) GDPR.

If we have made your data public and are obliged to erase it, we shall, with due regard being given to the available technology and the implementation costs, take appropriate measures to inform the controllers that you have requested the erasure of your data.

According to Article 18 GDPR, we must restrict the processing of your data in the following cases, namely if:

• you dispute the accuracy of your data, in which case the processing will be restricted until we have been able to check the accuracy;
• the processing is unlawful, and you decline to have your data erased and demand instead that use of your personal data be restricted;
• we no longer need the data for the purposes of the processing, but you need this data for asserting, exercising or defending legal claims, or
• you lodge, in accordance with Article 21 (1) GDPR, an objection to the processing for reasons ensuing from your particular situation, as long as it has not yet been established whether the legitimate reasons for the processing by us outweigh your interests.

If processing is restricted, we shall merely be permitted to store this data. Any processing beyond this will then be permissible only with your consent or for the purpose of asserting, exercising or defending legal claims or for protecting the rights of another natural person or legal entity or for reasons of an important public interest of the Union or a Member State.

You may at any time revoke your consent given in this connection.

You will be notified by us before the restriction is lifted.

All recipients to whom your data has been disclosed must be informed by us of any rectification or erasure of your data, or of any restriction of processing. This will be inapplicable only insofar as this proves to be impossible or is associated with disproportionate expense. We shall inform you of these recipients if you so request.

You have the right to receive in a structured, commonly used and machine-readable format the data concerning you that has been provided to us. Additionally, you have the right that we transfer this data to a third party insofar as

• the processing of the data is based on your consent or on a contract, and
• the processing takes place by automated means.

in this respect, you may demand that we transfer your data directly to such third party insofar as this is technically feasible. This right must not impair the rights and freedoms of other persons.

You have the right not to be subject to a decision based solely on automated processing, including profiling, that has legal effect on you or that impairs you in a similar manner. This will not apply if:

• you have given your express prior consent thereto, or
• the decision is necessary for the conclusion or performance of a contract between us, or
• applicable legal provisions permit this, and these provisions contain appropriate measures for protecting your rights and freedoms as well as your legitimate interests.

In the first two cases, we shall take appropriate measures to protect your rights and freedoms as well as your legitimate interests. This includes your right to state your own point of view, your right to challenge the automated decision and your right to intervention by one of our employees.

If we process your data on the basis of a legitimate interest (Article 6 (1) f GDPR), you will have the right to lodge an objection thereto if the grounds for this ensue from your particular situation. This also applies to any profiling based on these provisions. In this case, we shall no longer process your data, unless we can prove that the reasons for the processing are compelling and worthy of protection. This must outweigh your interests, rights and freedoms, or the processing must serve the assertion, exercise or defence of legal claims.

Insofar as we process your data in order to engage in direct marketing, you may lodge an objection to the processing of your data. This also applies to profiling insofar as profiling is related to such direct marketing.

Following your objection, your data will no longer be processed for these purposes.

To lodge an objection, merely send a corresponding informal notification using the contact details given in Section 1.

You have the right to lodge a complaint with a supervisory authority, in particular in the Member State where you reside or work or where the alleged breach took place, if you are of the opinion that the processing of the data concerning you breaches the General Data Protection Regulation. Further legal remedies under administrative law, or judicial remedies, to which you may possibly be entitled will remain unaffected hereby.